Open paulbastian opened 8 months ago
There won't be a TLS connection if the server certificate of the request_uri endpoint is not trusted. There are out-of-band mechanism that would allow the wallet to trust the request_uri endpoint beforehand. E.g., a wallet might check if the FQDN of the request_uri endpoint matches a SAN of a certificate the wallet may trust and have obtained using client_id/client_id_scheme.
I guess it makes sense to add something to the privacy considerations section.
We could use similar text to the credential_offer_uri considerations in VCI: https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#name-identifying-the-wallet
Also we should have a privacy considerations section :-) ( https://github.com/openid/OpenID4VP/issues/24 )
In the current state, according to RFC9101, the Wallet must fetch the Request Object from
request_uri
without having any means to verify the identity and authenticity of the Verifier. The request for this object therefore may leak data to the Verifier without the User knowing that or giving consent.Is this something that should be stated in a privacy consideration section?